analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

IEXPLORE.EXE

Full analysis: https://app.any.run/tasks/6a2fd471-4933-457c-a87a-94dd9a9c3a0f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 14, 2018, 15:13:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, Nullsoft Installer self-extracting archive
MD5:

9C181B1351AF9D8574DF0AAEB0E278DE

SHA1:

16010BAA64A7D21FE9C435ABAC13798CCFEDD0CD

SHA256:

3E4DE6797FB83963BF660C2DA8FD0FD523130E6B48B7834BA48D3F635D4E1ECE

SSDEEP:

98304:DqlVpGyyT4ll/NNYuG9M8ZVC1BjB8yGTnTWe9YUxQSPNZPz44z77mBu67B+CbON:MGZT4llVN1apVkFGT5KSPNOe7mBuyQzN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • IEXPLORE.EXE (PID: 2568)
      • explorer.exe (PID: 116)
      • catchme.tmp (PID: 2336)

    • Application was dropped or rewritten from another process

      • ERUNT.3XE (PID: 2664)
      • iexplore.exe (PID: 2464)
      • PEV.3XE (PID: 2916)
      • iexplore.exe (PID: 3440)
      • iexplore.exe (PID: 2808)
      • PEV.3XE (PID: 2064)
      • iexplore.exe (PID: 2768)
      • iexplore.exe (PID: 2600)
      • iexplore.exe (PID: 3704)
      • gsar.3XE (PID: 2752)
      • iexplore.exe (PID: 3760)
      • iexplore.exe (PID: 3276)
      • nsAA3.tmp (PID: 2324)
      • pev.3XE (PID: 2408)
      • swreg.3XE (PID: 2504)
      • swreg.3XE (PID: 3608)
      • sed.3XE (PID: 3344)
      • swreg.3XE (PID: 2868)
      • grep.3XE (PID: 3476)
      • pev.3XE (PID: 3152)
      • swsc.3XE (PID: 2696)
      • grep.3XE (PID: 2368)
      • swxcacls.3XE (PID: 2092)
      • PEV.3XE (PID: 3680)
      • grep.3XE (PID: 2476)
      • swreg.3XE (PID: 3032)
      • setpath.3XE (PID: 2804)
      • cmd.exe (PID: 2912)
      • ns25FC.tmp (PID: 2652)
      • cmd.3XE (PID: 3728)
      • PEV.3XE (PID: 2840)
      • iexplore.exe (PID: 3960)
      • swreg.3XE (PID: 3656)
      • pev.3XE (PID: 2892)
      • Hidec.3XE (PID: 3692)
      • NirCmd.3XE (PID: 2232)
      • NirCmd.3XE (PID: 2588)
      • pev.3XE (PID: 3792)
      • swreg.3XE (PID: 3944)
      • swreg.3XE (PID: 2744)
      • grep.3XE (PID: 3020)
      • swsc.3XE (PID: 3488)
      • grep.3XE (PID: 3780)
      • hidec.3XE (PID: 3488)
      • swreg.3XE (PID: 3064)
      • swreg.3XE (PID: 2544)
      • swreg.3XE (PID: 3400)
      • swreg.3XE (PID: 3624)
      • pev.3XE (PID: 3832)
      • swreg.3XE (PID: 2632)
      • grep.3XE (PID: 2324)
      • swreg.3XE (PID: 2288)
      • swreg.3XE (PID: 4060)
      • swreg.3XE (PID: 2916)
      • grep.3XE (PID: 992)
      • sed.3XE (PID: 2536)
      • pev.3XE (PID: 3712)
      • swreg.3XE (PID: 3328)
      • swreg.3XE (PID: 2116)
      • sed.3XE (PID: 1228)
      • swreg.3XE (PID: 4080)
      • pev.3XE (PID: 3572)
      • pev.3XE (PID: 3564)
      • sed.3XE (PID: 2444)
      • sed.3XE (PID: 2200)
      • swreg.3XE (PID: 3388)
      • swreg.3XE (PID: 2232)
      • swreg.3XE (PID: 3220)
      • swreg.3XE (PID: 3936)
      • rmbr.3XE (PID: 3448)
      • sed.3XE (PID: 2256)
      • grep.3XE (PID: 2388)
      • swsc.3XE (PID: 3256)
      • swreg.3XE (PID: 2864)
      • swreg.3XE (PID: 4056)
      • grep.3XE (PID: 2404)
      • pev.3XE (PID: 3548)
      • handle.3XE (PID: 3884)
      • swreg.3XE (PID: 2340)
      • grep.3XE (PID: 3628)
      • grep.3XE (PID: 3844)
      • grep.3XE (PID: 684)
      • swreg.3XE (PID: 2492)
      • grep.3XE (PID: 3924)
      • swreg.3XE (PID: 2468)
      • sed.3XE (PID: 2216)
      • swreg.3XE (PID: 3048)
      • swxcacls.3XE (PID: 3340)
      • swreg.3XE (PID: 4064)
      • grep.3XE (PID: 3316)
      • grep.3XE (PID: 3744)
      • swreg.3XE (PID: 3936)
      • swxcacls.3XE (PID: 3532)
      • sed.3XE (PID: 3560)
      • swreg.3XE (PID: 3252)
      • sed.3XE (PID: 2448)
      • swxcacls.3XE (PID: 1948)
      • sed.3XE (PID: 2632)
      • swxcacls.3XE (PID: 2532)
      • grep.3XE (PID: 3372)
      • swreg.3XE (PID: 2188)
      • grep.3XE (PID: 2476)
      • grep.3XE (PID: 2304)
      • grep.3XE (PID: 3804)
      • catchme.3XE (PID: 3588)
      • ATTRIB.3XE (PID: 2384)
      • sed.3XE (PID: 3396)
      • sed.3XE (PID: 2928)
      • cmd.3XE (PID: 3404)
      • PV.3XE (PID: 2188)
      • grep.3XE (PID: 2964)
      • sed.3XE (PID: 2812)
      • cscript.exe (PID: 3188)
      • sed.3XE (PID: 2992)
      • pev.3XE (PID: 2192)
      • sed.3XE (PID: 3380)
      • grep.3XE (PID: 3820)
      • grep.3XE (PID: 2864)
      • pev.3XE (PID: 3328)
      • swxcacls.3XE (PID: 3392)
      • ATTRIB.3XE (PID: 2504)
      • NirCmd.3XE (PID: 2296)
      • swreg.3XE (PID: 3080)
      • grep.3XE (PID: 3848)
      • grep.3XE (PID: 3544)
      • CSCRIPT.3XE (PID: 2328)
      • grep.3XE (PID: 3940)
      • grep.3XE (PID: 3828)
      • pev.3XE (PID: 2584)
      • grep.3XE (PID: 2704)
      • swreg.3XE (PID: 3204)
      • pev.3XE (PID: 2740)
      • grep.3XE (PID: 2816)
      • pev.3XE (PID: 3872)
      • grep.3XE (PID: 2508)
      • grep.3XE (PID: 2860)
      • grep.3XE (PID: 3184)
      • grep.3XE (PID: 2236)
      • pev.3XE (PID: 2528)
      • hidec.3XE (PID: 3924)
      • pev.3XE (PID: 2292)
      • pev.3XE (PID: 3116)
      • swreg.3XE (PID: 3620)
      • attrib.exe (PID: 3116)
      • CF2048.3XE (PID: 2764)
      • swreg.3XE (PID: 3872)
      • CF2048.3XE (PID: 2620)
      • sed.3XE (PID: 3972)
      • pev.3XE (PID: 3604)
      • ATTRIB.3XE (PID: 3088)
      • ATTRIB.3XE (PID: 4092)
      • grep.3XE (PID: 908)
      • CF2048.3XE (PID: 3500)
      • NirCmdC.3XE (PID: 2684)
      • grep.3XE (PID: 4036)
      • grep.3XE (PID: 3008)
      • sed.3XE (PID: 3084)
      • grep.3XE (PID: 2236)
      • PV.3XE (PID: 3180)
      • swxcacls.3XE (PID: 636)
      • swreg.3XE (PID: 2160)
      • pev.3XE (PID: 3412)
      • grep.3XE (PID: 2788)
      • grep.3XE (PID: 4076)
      • grep.3XE (PID: 3832)
      • grep.3XE (PID: 2676)
      • swreg.3XE (PID: 4000)
      • swxcacls.3XE (PID: 3748)
      • PV.3XE (PID: 3824)
      • swxcacls.3XE (PID: 2288)
      • sed.3XE (PID: 3604)
      • CF2048.3XE (PID: 3288)
      • sed.3XE (PID: 3288)
      • pev.3XE (PID: 2212)
      • sed.3XE (PID: 3420)
      • swreg.3XE (PID: 2624)
      • PEV.exe (PID: 1820)
      • grep.3XE (PID: 3064)
      • grep.3XE (PID: 3028)
      • swreg.3XE (PID: 2300)
      • grep.3XE (PID: 296)
      • sed.3XE (PID: 3052)
      • swsc.3XE (PID: 1948)
      • grep.3XE (PID: 340)
      • pev.3XE (PID: 2460)
      • swsc.3XE (PID: 4036)
      • grep.3XE (PID: 3112)
      • NIRKMD.3XE (PID: 2480)
      • grep.3XE (PID: 3904)
      • hidec.3XE (PID: 2368)
      • pev.3XE (PID: 4072)
      • swreg.3XE (PID: 2776)
      • grep.3XE (PID: 3992)
      • sed.3XE (PID: 3888)
      • pev.3XE (PID: 1200)
      • pev.3XE (PID: 2792)
      • CF2048.3XE (PID: 3024)
      • swreg.3XE (PID: 2624)
      • swreg.3XE (PID: 3052)
      • swxcacls.3XE (PID: 1688)
      • PEV.exe (PID: 2412)
      • gsar.3XE (PID: 3096)
      • swxcacls.3XE (PID: 2224)
      • ATTRIB.3XE (PID: 2924)
      • swreg.3XE (PID: 2312)
      • SWSC.exe (PID: 1348)
      • swreg.3XE (PID: 3060)
      • swreg.3XE (PID: 2144)
      • hidec.3XE (PID: 2572)
      • swreg.3XE (PID: 3508)
      • SWSC.exe (PID: 2540)
      • swreg.3XE (PID: 3304)
      • swreg.3XE (PID: 2928)
      • swreg.3XE (PID: 2300)
      • hidec.3XE (PID: 3332)
      • swreg.3XE (PID: 3248)
      • swreg.3XE (PID: 2164)
      • pev.3XE (PID: 2608)
      • swreg.3XE (PID: 3332)
      • pev.3XE (PID: 972)
      • grep.3XE (PID: 2628)
      • PEV.exe (PID: 3708)
      • grep.3XE (PID: 2956)
      • hidec.3XE (PID: 2400)
      • grep.3XE (PID: 3512)
      • grep.3XE (PID: 2692)
      • NirCmd.3XE (PID: 2440)
      • SWSC.exe (PID: 2736)
      • sed.3XE (PID: 4056)
      • pev.3XE (PID: 4028)
      • SWREG.exe (PID: 3344)
      • swreg.3XE (PID: 2936)
      • grep.3XE (PID: 3156)
      • SWREG.exe (PID: 2676)
      • SWREG.exe (PID: 2340)
      • pev.3XE (PID: 1812)
      • SWREG.exe (PID: 1396)
      • grep.3XE (PID: 672)
      • SWREG.exe (PID: 3648)
      • SWREG.exe (PID: 3608)
      • SWREG.exe (PID: 4032)
      • SWREG.exe (PID: 3268)
      • SWREG.exe (PID: 3424)
      • SWREG.exe (PID: 2508)
      • SWREG.exe (PID: 3428)
      • grep.3XE (PID: 3520)
      • grep.exe (PID: 2352)
      • sed.exe (PID: 3240)
      • NirCmd.3XE (PID: 2876)
      • NirCmd.3XE (PID: 2660)
      • NirCmd.3XE (PID: 684)
      • NirCmd.3XE (PID: 1328)
      • NIRKMD.3XE (PID: 2800)
      • NirCmd.3XE (PID: 4060)
      • CSCRIPT.3XE (PID: 2848)
      • sed.exe (PID: 2240)
      • sed.exe (PID: 3060)
      • SWREG.exe (PID: 2804)
      • SWREG.exe (PID: 3744)
      • sed.exe (PID: 1760)
      • SWREG.exe (PID: 3528)
      • SWREG.exe (PID: 2592)
      • SWREG.exe (PID: 3688)
      • grep.exe (PID: 3044)
      • sed.exe (PID: 1928)
      • SWREG.exe (PID: 3128)
      • SWREG.exe (PID: 3776)
      • grep.exe (PID: 2224)
      • SWREG.exe (PID: 3880)
      • SWREG.exe (PID: 3532)
      • sed.exe (PID: 3352)
      • NIRKMD.3XE (PID: 2332)
      • SWREG.exe (PID: 1504)
      • sed.exe (PID: 2308)
      • sed.3XE (PID: 940)
      • pev.3XE (PID: 656)
      • pev.3XE (PID: 3636)
      • hidec.3XE (PID: 1704)
      • swxcacls.3XE (PID: 1712)
      • SWSC.exe (PID: 3304)
      • CF2048.3XE (PID: 2756)
      • swxcacls.3XE (PID: 1288)
      • PV.3XE (PID: 3736)
      • CSCRIPT.3XE (PID: 2776)
      • swreg.3XE (PID: 2460)
      • NirCmdC.3XE (PID: 2940)
      • sed.3XE (PID: 1464)
      • PEV.exe (PID: 2120)
      • sed.3XE (PID: 3232)
      • grep.3XE (PID: 1324)
      • pev.3XE (PID: 3852)
      • grep.3XE (PID: 2328)
      • dumphive.3XE (PID: 996)
      • swreg.3XE (PID: 3212)
      • grep.3XE (PID: 2860)
      • swreg.3XE (PID: 3756)
      • sed.3XE (PID: 3504)
      • dumphive.3XE (PID: 3400)
      • swreg.3XE (PID: 452)
      • grep.3XE (PID: 4012)
      • sed.3XE (PID: 3140)
      • sed.3XE (PID: 3636)
      • sed.3XE (PID: 3340)
      • dumphive.3XE (PID: 2712)
      • dumphive.3XE (PID: 3856)
      • sed.3XE (PID: 2944)
      • swreg.3XE (PID: 3248)
      • swreg.3XE (PID: 2680)
      • grep.3XE (PID: 3812)
      • grep.3XE (PID: 2636)
      • sed.3XE (PID: 1852)
      • sed.3XE (PID: 3868)
      • swreg.3XE (PID: 2696)
      • grep.3XE (PID: 656)
      • grep.3XE (PID: 2404)
      • pev.3XE (PID: 3564)
      • dumphive.3XE (PID: 1360)
      • CF2048.3XE (PID: 128)
      • sed.3XE (PID: 3224)
      • sed.3XE (PID: 3420)
      • pev.3XE (PID: 672)
      • grep.3XE (PID: 2392)
      • swreg.3XE (PID: 1360)
      • sed.3XE (PID: 2068)
      • grep.3XE (PID: 2296)
      • pev.3XE (PID: 2944)
      • sed.3XE (PID: 4012)
      • sed.3XE (PID: 2900)
      • sed.3XE (PID: 1928)
      • swreg.3XE (PID: 2828)
      • sed.3XE (PID: 3600)
      • swreg.3XE (PID: 3836)
      • pev.3XE (PID: 2272)
      • swreg.3XE (PID: 2780)
      • pev.3XE (PID: 2408)
      • swreg.3XE (PID: 3536)
      • pev.3XE (PID: 3880)
      • sed.3XE (PID: 3352)
      • swreg.3XE (PID: 3856)
      • swreg.3XE (PID: 3992)
      • swreg.3XE (PID: 3020)
      • swreg.3XE (PID: 3852)
      • swreg.3XE (PID: 1832)
      • swreg.3XE (PID: 3436)
      • swreg.3XE (PID: 3668)
      • swreg.3XE (PID: 2572)
      • swreg.3XE (PID: 3920)
      • swreg.3XE (PID: 2752)
      • swreg.3XE (PID: 1940)
      • grep.3XE (PID: 2276)
      • CF2048.3XE (PID: 3688)
      • grep.3XE (PID: 3840)
      • CF2048.3XE (PID: 2640)
      • swreg.3XE (PID: 2416)
      • CF2048.3XE (PID: 1748)
      • swreg.3XE (PID: 2816)
      • swreg.3XE (PID: 4016)
      • CF2048.3XE (PID: 3552)
      • CF2048.3XE (PID: 3596)
      • CF2048.3XE (PID: 768)
      • CF2048.3XE (PID: 3652)
      • CF2048.3XE (PID: 2700)
      • grep.3XE (PID: 3900)
      • sed.3XE (PID: 2372)
      • grep.3XE (PID: 2532)
      • grep.3XE (PID: 3472)
      • grep.3XE (PID: 364)
      • grep.3XE (PID: 3652)
      • grep.3XE (PID: 3316)
      • CF2048.3XE (PID: 1036)
      • grep.3XE (PID: 4044)
      • grep.3XE (PID: 3592)
      • grep.3XE (PID: 2356)
      • grep.3XE (PID: 1852)
      • grep.3XE (PID: 4044)
      • grep.3XE (PID: 1464)
      • grep.3XE (PID: 3308)
      • grep.3XE (PID: 3500)
      • grep.3XE (PID: 3284)
      • grep.3XE (PID: 1408)
      • grep.3XE (PID: 2656)
      • grep.3XE (PID: 3368)
      • grep.3XE (PID: 4004)
      • grep.3XE (PID: 1704)
      • grep.3XE (PID: 940)
      • grep.3XE (PID: 3232)
      • grep.3XE (PID: 2936)
      • grep.3XE (PID: 3928)
      • grep.3XE (PID: 2948)
      • grep.3XE (PID: 2564)
      • grep.3XE (PID: 4068)
      • grep.3XE (PID: 3004)
      • grep.3XE (PID: 1316)
      • grep.3XE (PID: 2444)
      • grep.3XE (PID: 1912)
      • grep.3XE (PID: 2888)
      • grep.3XE (PID: 1396)
      • grep.3XE (PID: 3080)
      • grep.3XE (PID: 3192)
      • grep.3XE (PID: 3196)
      • grep.3XE (PID: 3240)
      • grep.3XE (PID: 3132)
      • sed.3XE (PID: 3236)
      • sed.3XE (PID: 2712)
      • sed.3XE (PID: 3292)
      • grep.3XE (PID: 3988)
      • grep.3XE (PID: 3504)
      • sed.3XE (PID: 3000)
      • sed.3XE (PID: 2872)
      • sed.3XE (PID: 3188)
      • sed.3XE (PID: 2356)
      • sed.3XE (PID: 1332)
      • sed.3XE (PID: 3848)
      • sed.3XE (PID: 3428)
      • CF2048.3XE (PID: 2068)
      • sed.3XE (PID: 3512)
      • sed.3XE (PID: 3868)
      • sed.3XE (PID: 3968)
      • sed.3XE (PID: 3036)
      • sed.3XE (PID: 2584)
      • sed.3XE (PID: 3740)
      • sed.3XE (PID: 3844)
      • sed.3XE (PID: 3672)
      • sed.3XE (PID: 2208)
      • sed.3XE (PID: 2824)
      • sed.3XE (PID: 2576)
      • sed.3XE (PID: 3204)
      • sed.3XE (PID: 2380)
      • sed.3XE (PID: 3812)
      • sed.3XE (PID: 4092)
      • sed.3XE (PID: 3132)
      • sed.3XE (PID: 3712)
      • sed.3XE (PID: 3472)
      • sed.3XE (PID: 1740)
      • sed.3XE (PID: 2416)
      • CF2048.3XE (PID: 4024)
      • CF2048.3XE (PID: 4068)
      • CF2048.3XE (PID: 3284)
      • CF2048.3XE (PID: 3508)
      • sed.3XE (PID: 2072)
      • CF2048.3XE (PID: 2124)
      • CF2048.3XE (PID: 3008)
      • CF2048.3XE (PID: 3536)
      • CF2048.3XE (PID: 3092)
      • CF2048.3XE (PID: 2536)
      • CF2048.3XE (PID: 2700)
      • CF2048.3XE (PID: 3764)
      • CF2048.3XE (PID: 3648)
      • sed.3XE (PID: 892)
      • hidec.3XE (PID: 3392)
      • CF2048.3XE (PID: 2820)
      • NIRKMD.3XE (PID: 932)
      • CF2048.3XE (PID: 2788)
      • pev.3XE (PID: 3700)
      • CF2048.3XE (PID: 3820)
      • CF2048.3XE (PID: 3056)
      • SWSC.exe (PID: 2552)
      • CF2048.3XE (PID: 3128)
      • pev.3XE (PID: 2124)
      • NirCmd.3XE (PID: 2372)
      • ROUTE.3XE (PID: 2284)
      • pev.3XE (PID: 768)
      • hidec.3XE (PID: 3108)
      • ROUTE.exe (PID: 3140)
      • sed.3XE (PID: 2196)
      • NIRKMD.3XE (PID: 1476)
      • pev.3XE (PID: 3692)
      • REGT.3XE (PID: 3884)
      • grep.3XE (PID: 3004)
      • CF2048.3XE (PID: 2580)
      • grep.3XE (PID: 2828)
      • swreg.3XE (PID: 2240)
      • grep.3XE (PID: 3408)
      • pev.3XE (PID: 3112)
      • grep.3XE (PID: 3904)
      • REGT.3XE (PID: 312)
      • sed.3XE (PID: 3468)
      • pev.3XE (PID: 3464)
      • NirCmdC.3XE (PID: 3436)
      • sed.3XE (PID: 3544)
      • sed.3XE (PID: 3596)
      • sed.3XE (PID: 2520)
      • CF2048.3XE (PID: 3672)
      • CF2048.3XE (PID: 3980)
      • sed.3XE (PID: 3668)
      • sed.3XE (PID: 3764)
      • CF2048.3XE (PID: 2736)
      • pev.3XE (PID: 1820)
      • sed.3XE (PID: 2972)
      • pev.3XE (PID: 3044)
      • gsar.3XE (PID: 3700)
      • sed.3XE (PID: 3364)
      • CF2048.3XE (PID: 3160)
      • pev.3XE (PID: 2208)
      • gsar.3XE (PID: 1740)
      • pev.3XE (PID: 3696)
      • gsar.3XE (PID: 2484)
      • grep.3XE (PID: 2628)
      • grep.3XE (PID: 3800)
      • grep.3XE (PID: 3000)
      • grep.3XE (PID: 3184)
      • CF2048.3XE (PID: 2088)
      • CF2048.3XE (PID: 3456)
      • grep.3XE (PID: 2464)
      • grep.3XE (PID: 2436)
      • CF2048.3XE (PID: 2392)
      • CF2048.3XE (PID: 1968)
      • grep.3XE (PID: 2892)
      • CF2048.3XE (PID: 3144)
      • grep.3XE (PID: 2488)
      • grep.3XE (PID: 1044)
      • grep.3XE (PID: 3156)
      • grep.3XE (PID: 2140)
      • CF2048.3XE (PID: 3808)
      • CF2048.3XE (PID: 3412)
      • grep.3XE (PID: 1836)
      • CF2048.3XE (PID: 2876)
      • grep.3XE (PID: 3972)
      • sed.3XE (PID: 2192)
      • sed.3XE (PID: 1096)
      • sed.3XE (PID: 1408)
      • sed.3XE (PID: 2420)
      • sed.3XE (PID: 3684)
      • sed.3XE (PID: 2932)
      • sed.3XE (PID: 996)
      • sed.3XE (PID: 2420)
      • sed.3XE (PID: 3016)
      • sed.3XE (PID: 252)
      • sed.3XE (PID: 2856)
      • sed.3XE (PID: 1884)
      • sed.3XE (PID: 3916)
      • sed.3XE (PID: 3940)
      • sed.3XE (PID: 2956)
      • sed.3XE (PID: 3816)
      • sed.3XE (PID: 3372)
      • sed.3XE (PID: 2952)
      • sed.3XE (PID: 3660)
      • sed.3XE (PID: 3496)
      • sed.3XE (PID: 2684)
      • sed.3XE (PID: 2852)
      • sed.3XE (PID: 1020)
      • sed.3XE (PID: 2904)
      • sed.3XE (PID: 912)
      • sed.3XE (PID: 2656)
      • sed.3XE (PID: 3292)
      • sed.3XE (PID: 2644)
      • sed.3XE (PID: 2380)
      • sed.3XE (PID: 3808)
      • sed.3XE (PID: 3036)
      • sed.3XE (PID: 3860)
      • sed.3XE (PID: 1620)
      • sed.3XE (PID: 1288)
      • sed.3XE (PID: 2856)
      • sed.3XE (PID: 3916)
      • sed.3XE (PID: 2872)
      • sed.3XE (PID: 3068)
      • sed.3XE (PID: 3864)
      • sed.3XE (PID: 3660)
      • sed.3XE (PID: 2636)
      • sed.3XE (PID: 3664)
      • sed.3XE (PID: 280)
      • sed.3XE (PID: 2908)
      • sed.3XE (PID: 3840)
      • sed.3XE (PID: 2216)
      • sed.3XE (PID: 3860)
      • sed.3XE (PID: 2152)
      • sed.3XE (PID: 3136)
      • sed.3XE (PID: 2708)
      • sed.3XE (PID: 3408)
      • sed.3XE (PID: 680)
      • sed.3XE (PID: 3912)
      • sed.3XE (PID: 788)
      • sed.3XE (PID: 2900)
      • sed.3XE (PID: 2580)
      • sed.3XE (PID: 2640)
      • sed.3XE (PID: 2348)
      • sed.3XE (PID: 3900)
      • sed.3XE (PID: 3780)
      • sed.3XE (PID: 3800)
      • sed.3XE (PID: 1960)
      • sed.3XE (PID: 2344)
      • sed.3XE (PID: 2220)
      • sed.3XE (PID: 1620)
      • sed.3XE (PID: 252)
      • sed.3XE (PID: 2952)
      • sed.3XE (PID: 3464)
      • sed.3XE (PID: 3368)
      • sed.3XE (PID: 3164)
      • sed.3XE (PID: 3492)
      • sed.3XE (PID: 3444)
      • sed.3XE (PID: 1340)
      • sed.3XE (PID: 2960)
      • sed.3XE (PID: 312)
      • sed.3XE (PID: 3616)
      • sed.3XE (PID: 452)
      • sed.3XE (PID: 2140)
      • sed.3XE (PID: 968)
      • sed.3XE (PID: 2672)
      • sed.3XE (PID: 1816)
      • sed.3XE (PID: 3144)
      • sed.3XE (PID: 1668)
      • sed.3XE (PID: 2072)
      • sed.3XE (PID: 2492)
      • sed.3XE (PID: 1536)
      • sed.3XE (PID: 2360)
      • sed.3XE (PID: 680)
      • sed.3XE (PID: 2608)
      • sed.3XE (PID: 4016)
      • sed.3XE (PID: 3016)
      • sed.3XE (PID: 2888)
      • sed.3XE (PID: 2272)
      • sed.3XE (PID: 3964)
      • sed.3XE (PID: 3376)
      • sed.3XE (PID: 3108)
      • sed.3XE (PID: 184)
      • sed.3XE (PID: 3968)
      • sed.3XE (PID: 348)
      • sed.3XE (PID: 932)
      • sed.3XE (PID: 1960)
      • sed.3XE (PID: 2376)
      • grep.3XE (PID: 1884)
      • grep.3XE (PID: 128)
      • grep.3XE (PID: 1944)
      • sed.3XE (PID: 3416)
      • pev.3XE (PID: 1864)
      • grep.3XE (PID: 2812)
      • sed.3XE (PID: 3040)
      • grep.3XE (PID: 2336)
      • grep.3XE (PID: 924)
      • grep.3XE (PID: 1440)
      • mtee.3XE (PID: 3696)
      • sed.3XE (PID: 3964)
      • grep.3XE (PID: 3732)
      • sed.3XE (PID: 3168)
      • ATTRIB.3XE (PID: 3768)
      • pev.3XE (PID: 348)
      • swxcacls.3XE (PID: 3308)
      • grep.3XE (PID: 2672)
      • grep.3XE (PID: 3748)
      • ATTRIB.3XE (PID: 3876)
      • pev.3XE (PID: 2688)
      • grep.3XE (PID: 3388)
      • pev.3XE (PID: 2396)
      • NirCmd.3XE (PID: 1504)
      • sed.3XE (PID: 2796)
      • sed.3XE (PID: 2388)
      • sed.3XE (PID: 3584)
      • pev.3XE (PID: 2852)
      • sed.3XE (PID: 1816)
      • sed.3XE (PID: 2180)
      • sed.3XE (PID: 3444)
      • sed.3XE (PID: 1940)
      • pev.3XE (PID: 2116)
      • grep.3XE (PID: 3212)
      • sed.3XE (PID: 3224)
      • pev.3XE (PID: 2180)
      • HIDEC.3XE (PID: 4004)
      • SWREG.3XE (PID: 660)
      • NirCmdC.3XE (PID: 4052)
      • catchme.tmp (PID: 2336)
      • swreg.3XE (PID: 2976)
      • swreg.3XE (PID: 3724)
      • swreg.3XE (PID: 3988)
      • swxcacls.3XE (PID: 3164)
      • PV.3XE (PID: 2348)
      • swreg.3XE (PID: 1968)
      • grep.3XE (PID: 2960)
      • swreg.3XE (PID: 2268)
      • swreg.3XE (PID: 3028)
      • swreg.3XE (PID: 1096)
      • swreg.3XE (PID: 2552)
      • pev.3XE (PID: 3336)
      • grep.3XE (PID: 3984)
      • pev.3XE (PID: 3324)
      • CF2048.3XE (PID: 3496)
      • sed.3XE (PID: 2560)
      • swreg.3XE (PID: 3124)
      • swxcacls.3XE (PID: 3272)
      • sed.3XE (PID: 1332)
      • sed.3XE (PID: 3456)
      • PV.3XE (PID: 3088)
      • pev.3XE (PID: 1048)
      • pev.3XE (PID: 1684)
      • grep.3XE (PID: 2376)
      • sed.3XE (PID: 1380)
      • sed.3XE (PID: 1176)
      • pev.3XE (PID: 3048)
      • rmbr.3XE (PID: 2252)
      • pev.3XE (PID: 2320)
      • grep.3XE (PID: 2972)
      • grep.3XE (PID: 3680)
      • grep.3XE (PID: 2320)
      • gsar.3XE (PID: 3492)
      • gsar.3XE (PID: 3644)
      • grep.3XE (PID: 3092)
      • gsar.3XE (PID: 2896)
      • grep.3XE (PID: 1484)
      • grep.3XE (PID: 3864)
      • grep.3XE (PID: 2424)
      • gsar.3XE (PID: 3100)
      • gsar.3XE (PID: 2084)
      • gsar.3XE (PID: 3480)
      • grep.3XE (PID: 992)
      • NIRKMD.3XE (PID: 3100)
      • grep.3XE (PID: 2500)
      • pev.3XE (PID: 3296)
      • rmbr.3XE (PID: 2384)
      • catchme.3XE (PID: 3684)
      • grep.3XE (PID: 3580)
      • grep.3XE (PID: 4052)
      • grep.3XE (PID: 2276)
      • catchme.3XE (PID: 3664)
      • swreg.3XE (PID: 3996)
      • sed.3XE (PID: 2484)
      • swreg.3XE (PID: 2760)
      • sed.3XE (PID: 3136)
      • grep.3XE (PID: 4080)
      • sed.3XE (PID: 2360)
      • CF2048.3XE (PID: 2748)
      • grep.3XE (PID: 3296)
      • grep.3XE (PID: 3928)
      • sed.3XE (PID: 2604)
      • SF.exe (PID: 2256)
      • pev.3XE (PID: 1340)
      • SF.exe (PID: 3168)
      • sed.3XE (PID: 3364)
      • NIRCMD.exe (PID: 3996)
      • swreg.3XE (PID: 1020)
      • SF.exe (PID: 3196)
      • SF.exe (PID: 2932)
      • SF.exe (PID: 1216)
      • SF.exe (PID: 2168)
      • SF.exe (PID: 1380)
      • SF.exe (PID: 2400)
      • SF.exe (PID: 1448)
      • sed.3XE (PID: 272)
      • swreg.3XE (PID: 3656)
      • pev.3XE (PID: 2948)
      • sed.3XE (PID: 1932)
      • grep.3XE (PID: 3468)
      • CF2048.3XE (PID: 2884)
      • SWREG.3XE (PID: 2452)
      • PEV.exe (PID: 1416)
      • pev.3XE (PID: 704)
      • handle.3XE (PID: 2520)
      • NIRKMD.3XE (PID: 1840)

    • Stealing of credential data

      • ERUNT.3XE (PID: 2664)

    • Modifies Windows Defender service settings

      • PEV.3XE (PID: 2840)
      • PEV.3XE (PID: 3680)
      • pev.3XE (PID: 2460)

    • Modifies Windows security services settings

      • PEV.3XE (PID: 3680)
      • PEV.3XE (PID: 2840)
      • pev.3XE (PID: 2460)

    • Actions looks like stealing of personal data

      • pev.3XE (PID: 672)

    • Runs injected code in another process

      • catchme.tmp (PID: 2336)

    • Application was injected by another process

      • explorer.exe (PID: 116)

  • SUSPICIOUS

    • Creates executable files which already exist in Windows

      • IEXPLORE.EXE (PID: 2568)
      • cmd.3XE (PID: 3728)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • IEXPLORE.EXE (PID: 2568)
      • CF2048.3XE (PID: 2620)

    • Starts application with an unusual extension

      • nsAA3.tmp (PID: 2324)
      • IEXPLORE.EXE (PID: 2568)
      • iexplore.exe (PID: 3760)
      • cmd.exe (PID: 2912)
      • ns25FC.tmp (PID: 2652)
      • iexplore.exe (PID: 3960)
      • Hidec.3XE (PID: 3692)
      • cmd.3XE (PID: 3728)
      • cmd.3XE (PID: 3404)
      • hidec.3XE (PID: 3924)
      • CF2048.3XE (PID: 2764)
      • NirCmdC.3XE (PID: 2684)
      • CF2048.3XE (PID: 2620)
      • hidec.3XE (PID: 2368)
      • CF2048.3XE (PID: 3024)
      • CF2048.3XE (PID: 3980)
      • CF2048.3XE (PID: 3672)
      • NirCmdC.3XE (PID: 3436)
      • HIDEC.3XE (PID: 4004)
      • pev.3XE (PID: 2180)
      • NirCmdC.3XE (PID: 4052)
      • CF2048.3XE (PID: 3496)
      • CF2048.3XE (PID: 2884)
      • NIRCMD.exe (PID: 3996)

    • Modifies the open verb of a shell class

      • PEV.3XE (PID: 2916)
      • IEXPLORE.EXE (PID: 2568)
      • PEV.3XE (PID: 2064)
      • PEV.3XE (PID: 3680)
      • PEV.3XE (PID: 2840)
      • pev.3XE (PID: 2892)
      • pev.3XE (PID: 3604)
      • pev.3XE (PID: 2460)
      • pev.3XE (PID: 2608)

    • Executable content was dropped or overwritten

      • ERUNT.3XE (PID: 2664)
      • IEXPLORE.EXE (PID: 2568)
      • gsar.3XE (PID: 2752)
      • cmd.3XE (PID: 3728)
      • catchme.3XE (PID: 3588)
      • pev.3XE (PID: 2740)
      • CF2048.3XE (PID: 2764)
      • CF2048.3XE (PID: 2620)
      • gsar.3XE (PID: 3096)
      • catchme.tmp (PID: 2336)

    • Creates files in the Windows directory

      • ERUNT.3XE (PID: 2664)
      • handle.3XE (PID: 3884)
      • CF2048.3XE (PID: 2620)

    • Starts CMD.EXE for commands execution

      • IEXPLORE.EXE (PID: 2568)

    • Executes scripts

      • cmd.3XE (PID: 3728)

    • Creates or modifies windows services

      • PEV.3XE (PID: 2840)
      • PEV.3XE (PID: 3680)
      • handle.3XE (PID: 3884)
      • catchme.3XE (PID: 3588)
      • pev.3XE (PID: 2460)
      • rmbr.3XE (PID: 2252)

    • Creates files in the driver directory

      • handle.3XE (PID: 3884)

    • Removes files from Windows directory

      • handle.3XE (PID: 3884)
      • CF2048.3XE (PID: 2620)

    • Application launched itself

      • cmd.3XE (PID: 3728)
      • CF2048.3XE (PID: 2764)
      • CF2048.3XE (PID: 2620)

    • Uses ATTRIB.EXE to modify file attributes

      • CF2048.3XE (PID: 2764)

    • Creates files in the user directory

      • CF2048.3XE (PID: 2620)

    • Low-level read access rights to disk partition

      • rmbr.3XE (PID: 2252)
      • catchme.3XE (PID: 3684)
      • rmbr.3XE (PID: 2384)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • IEXPLORE.EXE (PID: 2568)
      • CF2048.3XE (PID: 2764)
      • CF2048.3XE (PID: 2620)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

ProductName: ComboFix
OriginalFileName: ComboFix.exe
LegalCopyright: sUBs
InternalName: ComboFix.exe
FileVersion: 18.08.08.01
FileDescription: ComboFix NSIS Installer
CompanyName: Swearware
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 18.8.8.1
FileVersionNumber: 18.8.8.1
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x314d0
UninitializedDataSize: 180224
InitializedDataSize: 8192
CodeSize: 20480
LinkerVersion: 6
PEType: PE32
TimeStamp: 2014:05:11 22:03:36+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 11-May-2014 20:03:36
Detected languages:
  • English - United States
CompanyName: Swearware
FileDescription: ComboFix NSIS Installer
FileVersion: 18.08.08.01
InternalName: ComboFix.exe
LegalCopyright: sUBs
OriginalFileName: ComboFix.exe
ProductName: ComboFix

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 11-May-2014 20:03:36
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x0002C000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x0002D000
0x00005000
0x00004800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.83959
.rsrc
0x00032000
0x00002000
0x00001C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.39646

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.26024
1013
UNKNOWN
English - United States
RT_MANIFEST
102
6.81683
184
UNKNOWN
English - United States
RT_DIALOG
103
2.01924
20
UNKNOWN
English - United States
RT_GROUP_ICON
105
7.1047
256
UNKNOWN
English - United States
RT_DIALOG
106
7.12347
284
UNKNOWN
English - United States
RT_DIALOG
111
6.08731
96
UNKNOWN
English - United States
RT_DIALOG
202
6.76113
168
UNKNOWN
English - United States
RT_DIALOG
205
6.96023
240
UNKNOWN
English - United States
RT_DIALOG
206
7.16464
268
UNKNOWN
English - United States
RT_DIALOG
211
6.07193
80
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.DLL
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
849
Monitored processes
788
Malicious processes
32
Suspicious processes
8

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start inject iexplore.exe no specs iexplore.exe erunt.3xe nsaa3.tmp no specs pev.3xe no specs iexplore.exe no specs iexplore.exe no specs pev.3xe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs cmd.exe no specs swxcacls.3xe no specs gsar.3xe swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swsc.3xe no specs grep.3xe no specs pev.3xe no specs sed.3xe no specs grep.3xe no specs pev.3xe no specs setpath.3xe no specs grep.3xe no specs ns25fc.tmp no specs pev.3xe no specs iexplore.exe no specs pev.3xe no specs hidec.3xe no specs cmd.3xe pev.3xe no specs swreg.3xe no specs swreg.3xe no specs grep.3xe no specs nircmd.3xe no specs swreg.3xe no specs grep.3xe no specs pev.3xe no specs findstr.exe no specs hidec.3xe no specs nircmd.3xe no specs cscript.exe no specs pev.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swsc.3xe no specs grep.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs sed.3xe no specs sed.3xe no specs grep.3xe no specs pev.3xe no specs pev.3xe no specs swreg.3xe no specs sed.3xe no specs pev.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs sed.3xe no specs swreg.3xe no specs swreg.3xe no specs chcp.com no specs swreg.3xe no specs sed.3xe no specs grep.3xe no specs swreg.3xe no specs swsc.3xe no specs rmbr.3xe no specs handle.3xe no specs grep.3xe no specs grep.3xe no specs pev.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs sed.3xe no specs grep.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs grep.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs swxcacls.3xe no specs swxcacls.3xe no specs swxcacls.3xe no specs swxcacls.3xe no specs grep.3xe no specs attrib.3xe no specs swreg.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs cmd.3xe no specs catchme.3xe sed.3xe no specs grep.3xe no specs sed.3xe no specs sed.3xe no specs pv.3xe no specs sed.3xe no specs sed.3xe no specs grep.3xe no specs pev.3xe no specs swxcacls.3xe no specs pev.3xe no specs attrib.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs nircmd.3xe no specs cscript.3xe no specs pev.3xe no specs swreg.3xe no specs swreg.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs pev.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs pev.3xe grep.3xe no specs pev.3xe no specs pev.3xe no specs swreg.3xe no specs hidec.3xe no specs pev.3xe no specs cf2048.3xe attrib.exe no specs cf2048.3xe chcp.com no specs pev.3xe no specs swreg.3xe no specs sed.3xe no specs attrib.3xe no specs findstr.exe no specs grep.3xe no specs attrib.3xe no specs nircmdc.3xe no specs cf2048.3xe no specs swreg.3xe no specs chcp.com no specs grep.3xe no specs grep.3xe no specs swxcacls.3xe no specs pv.3xe no specs sed.3xe no specs grep.3xe no specs swreg.3xe no specs grep.3xe no specs grep.3xe no specs pev.3xe no specs grep.3xe no specs grep.3xe no specs swxcacls.3xe no specs pv.3xe no specs sed.3xe no specs swxcacls.3xe no specs cf2048.3xe no specs pev.3xe no specs pev.exe no specs swreg.3xe no specs sed.3xe no specs grep.3xe no specs sed.3xe no specs sed.3xe no specs swreg.3xe no specs swsc.3xe no specs grep.3xe no specs grep.3xe no specs pev.3xe no specs grep.3xe no specs nirkmd.3xe no specs swsc.3xe no specs pev.3xe no specs pev.3xe no specs grep.3xe no specs pev.3xe no specs grep.3xe no specs findstr.exe no specs swreg.3xe no specs sed.3xe no specs grep.3xe no specs swreg.3xe no specs swreg.3xe no specs hidec.3xe no specs cf2048.3xe no specs swxcacls.3xe no specs pev.exe no specs swxcacls.3xe no specs attrib.3xe no specs gsar.3xe swreg.3xe no specs hidec.3xe no specs swsc.exe no specs hidec.3xe no specs swsc.exe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs pev.3xe no specs grep.3xe no specs pev.3xe no specs pev.exe no specs nircmd.3xe no specs hidec.3xe no specs swsc.exe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs pev.3xe no specs grep.3xe no specs swreg.3xe no specs sed.3xe no specs swreg.exe no specs swreg.exe no specs pev.3xe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs grep.3xe no specs sed.exe no specs grep.3xe no specs nircmd.3xe no specs nircmd.3xe no specs grep.exe no specs nircmd.3xe no specs nircmd.3xe no specs nircmd.3xe no specs nirkmd.3xe no specs cscript.3xe no specs SPPSurrogate no specs vssvc.exe no specs sed.exe no specs sed.exe no specs sed.exe no specs grep.exe no specs sed.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs swreg.exe no specs grep.exe no specs sed.exe no specs swreg.exe no specs sed.exe no specs drvinst.exe no specs pev.3xe no specs nirkmd.3xe no specs cscript.3xe no specs pev.3xe no specs hidec.3xe no specs swsc.exe no specs swxcacls.3xe no specs pv.3xe no specs swxcacls.3xe no specs sed.3xe no specs cf2048.3xe no specs nircmdc.3xe no specs pev.exe no specs chcp.com no specs grep.3xe no specs swreg.3xe no specs sort.exe no specs sed.3xe no specs sed.3xe no specs grep.3xe no specs pev.3xe no specs swreg.3xe no specs grep.3xe no specs dumphive.3xe no specs sed.3xe no specs swreg.3xe no specs grep.3xe no specs dumphive.3xe no specs sed.3xe no specs swreg.3xe no specs grep.3xe no specs dumphive.3xe no specs sed.3xe no specs swreg.3xe no specs grep.3xe no specs dumphive.3xe no specs sed.3xe no specs swreg.3xe no specs sed.3xe no specs sed.3xe no specs grep.3xe no specs swreg.3xe no specs grep.3xe no specs dumphive.3xe no specs sed.3xe no specs pev.3xe no specs findstr.exe no specs sed.3xe no specs chcp.com no specs sed.3xe no specs chcp.com no specs cf2048.3xe no specs grep.3xe no specs swreg.3xe no specs sed.3xe no specs chcp.com no specs pev.3xe no specs sed.3xe no specs swreg.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs grep.3xe no specs pev.3xe swreg.3xe no specs pev.3xe no specs swreg.3xe no specs pev.3xe no specs swreg.3xe no specs pev.3xe no specs swreg.3xe no specs swreg.3xe no specs sed.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs grep.3xe no specs swreg.3xe no specs grep.3xe no specs swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs cf2048.3xe no specs cf2048.3xe no specs cf2048.3xe no specs cf2048.3xe no specs cf2048.3xe no specs cf2048.3xe no specs cf2048.3xe no specs cf2048.3xe no specs cf2048.3xe no specs sed.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs cf2048.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs cf2048.3xe no specs findstr.exe no specs pev.3xe no specs chcp.com no specs cf2048.3xe no specs sed.3xe no specs pev.3xe no specs nircmd.3xe no specs hidec.3xe no specs swsc.exe no specs pev.3xe no specs nirkmd.3xe no specs route.3xe no specs pev.3xe no specs sed.3xe no specs grep.3xe no specs regt.3xe no specs nirkmd.3xe no specs hidec.3xe no specs route.exe no specs pev.3xe no specs sed.3xe no specs regt.3xe no specs cf2048.3xe no specs grep.3xe no specs grep.3xe no specs pev.3xe no specs pev.3xe no specs swreg.3xe no specs grep.3xe no specs nircmdc.3xe no specs cf2048.3xe no specs pev.3xe no specs sed.3xe no specs sed.3xe no specs grep.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs gsar.3xe no specs sed.3xe no specs sed.3xe no specs sort.exe no specs pev.3xe no specs pev.3xe no specs chcp.com no specs gsar.3xe no specs gsar.3xe no specs cf2048.3xe no specs grep.3xe no specs cf2048.3xe no specs grep.3xe no specs cf2048.3xe no specs grep.3xe no specs cf2048.3xe no specs grep.3xe no specs cf2048.3xe no specs grep.3xe no specs cf2048.3xe no specs grep.3xe no specs cf2048.3xe no specs grep.3xe no specs cf2048.3xe no specs grep.3xe no specs cf2048.3xe no specs grep.3xe no specs cf2048.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs grep.3xe no specs sed.3xe no specs sed.3xe no specs pev.3xe no specs grep.3xe no specs grep.3xe no specs attrib.3xe no specs grep.3xe no specs grep.3xe no specs pev.3xe no specs swxcacls.3xe no specs grep.3xe no specs grep.3xe no specs sed.3xe no specs mtee.3xe no specs sed.3xe no specs grep.3xe no specs pev.3xe no specs attrib.3xe no specs pev.3xe no specs nircmd.3xe no specs pev.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs sed.3xe no specs grep.3xe no specs pev.3xe no specs pev.3xe no specs hidec.3xe no specs swreg.3xe no specs nircmdc.3xe no specs catchme.tmp swreg.3xe no specs swreg.3xe no specs swreg.3xe no specs swxcacls.3xe no specs pv.3xe no specs grep.3xe no specs swreg.3xe no specs findstr.exe no specs swreg.3xe no specs swreg.3xe no specs pev.3xe no specs swreg.3xe no specs swreg.3xe no specs pev.3xe no specs findstr.exe no specs swreg.3xe no specs grep.3xe no specs sed.3xe no specs cf2048.3xe no specs sed.3xe no specs sed.3xe no specs swxcacls.3xe no specs explorer.exe pv.3xe no specs sed.3xe no specs grep.3xe no specs pev.3xe no specs sed.3xe no specs pev.3xe no specs pev.3xe no specs pev.3xe no specs grep.3xe no specs rmbr.3xe no specs grep.3xe no specs gsar.3xe no specs grep.3xe no specs gsar.3xe no specs grep.3xe no specs gsar.3xe no specs grep.3xe no specs gsar.3xe no specs grep.3xe no specs gsar.3xe no specs grep.3xe no specs gsar.3xe no specs grep.3xe no specs nirkmd.3xe no specs rmbr.3xe no specs pev.3xe no specs grep.3xe no specs catchme.3xe no specs grep.3xe no specs grep.3xe no specs catchme.3xe no specs grep.3xe no specs swreg.3xe no specs sed.3xe no specs swreg.3xe no specs sed.3xe no specs grep.3xe no specs cf2048.3xe no specs sed.3xe no specs sort.exe no specs sed.3xe no specs grep.3xe no specs grep.3xe no specs sed.3xe no specs swreg.3xe no specs pev.3xe no specs nircmd.exe no specs sf.exe no specs sf.exe no specs sf.exe no specs sf.exe no specs sf.exe no specs sf.exe no specs sf.exe no specs sf.exe no specs sf.exe no specs sed.3xe no specs swreg.3xe no specs sed.3xe no specs grep.3xe no specs pev.3xe no specs cf2048.3xe no specs chcp.com no specs swreg.3xe no specs pev.3xe no specs nirkmd.3xe no specs handle.3xe no specs pev.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3260"C:\Users\admin\Downloads\IEXPLORE.EXE" C:\Users\admin\Downloads\IEXPLORE.EXEexplorer.exe
User:
admin
Company:
Swearware
Integrity Level:
MEDIUM
Description:
ComboFix NSIS Installer
Exit code:
3221226540
Version:
18.08.08.01
2568"C:\Users\admin\Downloads\IEXPLORE.EXE" C:\Users\admin\Downloads\IEXPLORE.EXE
explorer.exe
User:
admin
Company:
Swearware
Integrity Level:
HIGH
Description:
ComboFix NSIS Installer
Exit code:
0
Version:
18.08.08.01
2664"C:\32788R22FWJFW\ERUNT.3XE" "C:\Windows\erdnt\Hiv-backup" SYSREG CURUSER OTHERUSERS /NOCONFIRMDELETEC:\32788R22FWJFW\ERUNT.3XE
IEXPLORE.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
2324"C:\Users\admin\AppData\Local\Temp\nslE557.tmp\nsAA3.tmp" C:\32788R22FWJFW\PEV.3XE RIMPORT C:\32788R22FWJFW\EXE.regC:\Users\admin\AppData\Local\Temp\nslE557.tmp\nsAA3.tmpIEXPLORE.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
2916C:\32788R22FWJFW\PEV.3XE RIMPORT C:\32788R22FWJFW\EXE.regC:\32788R22FWJFW\PEV.3XEnsAA3.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
3760C:\32788R22FWJFW\EN-US\iexplore.exe /w C:\32788R22FWJFW\PEV.3XE RIMPORT C:\32788R22FWJFW\EXE.regC:\32788R22FWJFW\EN-US\iexplore.exeIEXPLORE.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
2464C:\32788R22FWJFW\iexplore.exe Script C:\32788R22FWJFW\Nirscript.datC:\32788R22FWJFW\iexplore.exeIEXPLORE.EXE
User:
admin
Company:
NirSoft
Integrity Level:
HIGH
Description:
NirCmd
Exit code:
0
Version:
2.35
2064C:\32788R22FWJFW\PEV.3XE RIMPORT C:\32788R22FWJFW\EXE.regC:\32788R22FWJFW\PEV.3XEiexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2600C:\32788R22FWJFW\License\iexplore.exe -s450000-1400000 -t!k -t!o -t!g -k C:\*.exe and not { "C:\Users\admin\Downloads\IEXPLORE.EXE" or C:\32788R22FWJFW\* }C:\32788R22FWJFW\License\iexplore.exeiexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4
2808C:\32788R22FWJFW\License\iexplore.exe -k { "C:\ProgramData\*" or "C:\Users\admin\*" } not { "C:\Users\admin\Downloads\IEXPLORE.EXE" or C:\32788R22FWJFW\* }C:\32788R22FWJFW\License\iexplore.exeiexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4
Total events
3 409
Read events
1 549
Write events
0
Delete events
0

Modification events

No data
Executable files
135
Suspicious files
45
Text files
873
Unknown types
29

Dropped files

PID
Process
Filename
Type
2568IEXPLORE.EXEC:\32788R22FWJFW\023.dattext
MD5:670CBBF19119C06C2D3F3CE005DB24A1
SHA256:C5DD0199365F954D28DE7CA43C93F2186E0AB9C9088425F8C7143CCFACE82827
2568IEXPLORE.EXEC:\32788R22FWJFW\AWF.cmdtext
MD5:0AF9FF8D8313FAB8E535CCEF4C8DB10A
SHA256:150AFEDE0368D115BB26787E98AA9148335F20053791B9953E4BA4B23AD64130
2568IEXPLORE.EXEC:\32788R22FWJFW\Boot.battext
MD5:FA2E45CCEB5BB5E07A6917671DB7DDA9
SHA256:DB5D7167D96BA3F54EE6565D296CF1A0D7F80316CE3E7EFBF4461FE684964E5D
2568IEXPLORE.EXEC:\32788R22FWJFW\Assoc.cmdtext
MD5:3364A1267717EF5108004AC7E8083E9C
SHA256:7350048EEC1D07923E8F79F300F693A2E38C23D1CDAF23075B09B5A0ED56503D
2568IEXPLORE.EXEC:\32788R22FWJFW\023w7.dattext
MD5:935D25BCC25FD5444D0E1BF7ED228C24
SHA256:C89B74EF94086FC4A969E579D0653D460931508B862233ED008E0FB4FF23FA3F
2568IEXPLORE.EXEC:\32788R22FWJFW\BFE.dathiv
MD5:4159270EBC4700D923FBA2BBA4171FDD
SHA256:14DA6D6205BE3B0629EC4987F8C66543EB69FC2F45D6071076F7769F4E6CDBF9
2568IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\nslE557.tmp\W7.mactext
MD5:486DA0E231191AE975F6D2B4D14F9D39
SHA256:03DB0EDF70B6E6A3601107FA8F4FA1B1044FC83F65927C0B3B3374C041826B61
2568IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\nslE557.tmp\System.dllexecutable
MD5:A436DB0C473A087EB61FF5C53C34BA27
SHA256:75ED40311875312617D6711BAED0BE29FCAEE71031CA27A8D308A72B15A51E49
2568IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\nslE557.tmp\Vista.krltext
MD5:486DA0E231191AE975F6D2B4D14F9D39
SHA256:03DB0EDF70B6E6A3601107FA8F4FA1B1044FC83F65927C0B3B3374C041826B61
2568IEXPLORE.EXEC:\32788R22FWJFW\AppDataFile.cfxtext
MD5:FC2E291FC62F8572B2284970E9929640
SHA256:03E49ED3D789B283ADC52E62C17448DC7FFFC7699F484BD9E83D3D6461E72BD5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2568
IEXPLORE.EXE
GET
200
104.20.129.30:80
http://download.bleepingcomputer.com/sUBs/version.txt
US
text
36 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2568
IEXPLORE.EXE
104.20.129.30:80
download.bleepingcomputer.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
download.bleepingcomputer.com
  • 104.20.129.30
  • 104.20.128.30
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
IEXPLORE.EXE